[OpenAFS] Re: OpenAFS and AD trusts

Danko Antolovic dantolov@indiana.edu
Thu, 15 Sep 2011 11:10:40 -0400

Let me revisit the discussion about AD trusts and foreign users. I 
authenticate to my AFS as a foreign user, dantolov@iu.edu, via the AD 
trust that the AFS authentication domain, RESOURCE.NET, has with my 
user-authentication domain, IU.EDU.  aklog sets up the appropriate 
foreign-realm group and user:

[root@afs1c afs]# pts  listentries -groups  -noauth
Name                          ID  Owner Creator
system:administrators       -204   -204    -204
system:backup               -205   -204    -204
system:anyuser              -101   -204    -204
system:authuser             -102   -204    -204
system:ptsviewers           -203   -204    -204
system:authuser@iu.edu      -207   -204       2

[root@afs1c afs]# pts  membership  system:authuser@iu.edu  -noauth
Members of system:authuser@iu.edu (id: -207) are:

[root@afs1c afs]# pts  listentries -users  -noauth
Name                          ID  Owner Creator
anonymous                  32766   -204    -204
afs                            1   -204   32766
dantolov                       2   -204   32766
dantolov@iu.edu          1507121   -204    -204

and I get a normal-looking token as a foreign user:

[root@afs1c afs]# tokens
Tokens held by the Cache Manager:
User's (AFS ID 1507121) tokens for afs@afs1.bedrock.iu.edu [Expires Sep 
15 19:08]
   --End of list--

However, this does not let me touch the files in the cell. Trying to add 
the foreign-realm group to the directory ACL, like this:

[root@afs1c afs]# fs  setacl -dir  /afs/afs1.bedrock.iu.edu  -acl 
system:authuser@iu.edu  rlidwka

does not seem to work, and just adds the group system:authuser to the 
ACL once more:

[root@afs1c afs]# fs listacl  /afs/afs1.bedrock.iu.edu
Access list for /afs/afs1.bedrock.iu.edu is
Normal rights:
  system:administrators rlidwka
  system:authuser rlidwka
  system:authuser rlidwka
  system:anyuser rl

The documentation says that broadening the privileges of system:anyuser 
grants access to foreign users, but that is too indiscriminate. Is there 
a way to selectively assign access rights to foreign-realm groups?


Danko Antolovic

Andrew Deason wrote:
> On Tue, 19 Jul 2011 13:52:08 -0400
> "Danko Antolovic" <dantolov@indiana.edu> wrote:
>> [root@afs1c afs]# pts adduser -user dantolov  -group  system:authuser@iu.edu
>> -noauth
> No, don't do this. In your setup, the _only_ user that will be
> recognized as "dantolov" is someone that authenticates with the
> principal dantolov@RESOURCE.NET, which, if I understand correctly, does
> not exist, so there should not be a user called "dantolov" at all. The
> user that authenticates via the kerberos principal dantolov@IU.EDU will
> have the AFS PT name "dantolov@iu.edu" if IU.EDU is not in krb.conf.
>> Predictably, when I authenticate as a foreign user (via trust), I can't
>> touch the files in /afs/afs1.bedrock.iu.edu  
> aklog is supposed to automatically create the user dantolov@iu.edu and
> add it to system:authuser@iu.edu for you; you don't need to do it
> yourself. Does dantolov@iu.edu exist? What does aklog say when you give
> it the -d option when you authenticate with dantolov@IU.EDU ?